-
Notifications
You must be signed in to change notification settings - Fork 54
158 lines (139 loc) · 6.27 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: create release on new tags
# This workflow is triggered by new version tags (e.g. "1.12.2" without leading "v") on the main
# branch.
#
# Tagging should be automatic after each merged PR release (see the build.yaml workflow).
# Alternatively, this workflow can be triggered by manually creating a tag on the main branch with
# the aforementioned format. Note that the tests are *not* run by this workflow, and that you
# should therefore apply caution before manually tagging the main branch in order to trigger it.
#
# This workflow contains a check that the tag matches the version set in
# ./pkg/chartverifier/version/version_info.json.
#
# In order to recreate a GitHub release and rebuild its associated assets, first the tag needs to
# be manually deleted (e.g `git tag --delete 1.12.2 && git push --delete origin 1.12.2`). The
# GitHub release that was created for this tag automatically turns into a "Draft" release and will
# need to be manually cleaned up, though it doesn't constitute a blocker for this workflow to run.
# Finally, as mentioned above, create a new tag (e.g. `git tag 1.12.2 && git push --tags`) to
# recreate the release.
#
# This workflow builds all release assets (the tarball and the container images), creates the
# Github release and attaches the tarball to it.
on:
push:
# Publish semver tags as releases.
tags: '[0-9]+.[0-9]+.[0-9]+'
env:
IMAGE_NAME: chart-verifier
jobs:
build-and-release:
name: Create GitHub release
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
with:
cosign-release: 'v2.2.4'
- name: Print tag to GITHUB_OUTPUT
id: get_tag
run: |
echo "release_version=${GITHUB_REF#refs/*/}" | tee -a $GITHUB_OUTPUT
- name: Build binary and make tarball
id: build_bin
run: |
make bin
TARBALL_NAME="chart-verifier-${{ steps.get_tag.outputs.release_version }}.tgz"
tar -zcvf $TARBALL_NAME -C out/ chart-verifier
export TARBALL_PATH=$(realpath $TARBALL_NAME)
echo "tarball_path=$TARBALL_PATH" | tee -a $GITHUB_OUTPUT
- name: Check that the tag matches the current version
id: check_tag_and_version
run: |
release_version=${{ steps.get_tag.outputs.release_version }}
bin_version=$(out/chart-verifier version --as-data | jq -r .version)
if [[ "$release_version" != "$bin_version" ]]; then
echo "Binary version ($bin_version) doesn't match tag ($release_version)" && exit 1
fi
- name: Generate SBOM filename
id: generate_sbom_filename
run: echo sbom_filename="${{ github.event.repository.name }}-${{ steps.get_tag.outputs.release_version }}-sbom.spdx.json" | tee -a $GITHUB_OUTPUT
- name: Generate SBOM
continue-on-error: true
id: generate_sbom
uses: anchore/sbom-action@v0
with:
# Setting path to null works around this bug:
# https://github.com/anchore/sbom-action/issues/389
path: null
file: go.mod
format: spdx-json
output-file: ${{ steps.generate_sbom_filename.outputs.sbom_filename }}
artifact-name: ${{ steps.generate_sbom_filename.outputs.sbom_filename }}
upload-release-assets: false
- name: Set up Python 3.x
uses: ./.github/actions/setup-python
- name: Set up Python scripts
run: |
# set up python requirements and scripts on PR branch
python3 -m venv ve1
cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd ..
cd scripts && ../ve1/bin/pip3 install . && cd ..
- name: Generate release body
id: release_body
run: echo "release_body=$(ve1/bin/print-release-body)" | tee -a $GITHUB_OUTPUT
- name: Create the release
id: create_release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ steps.get_tag.outputs.release_version }}
body: ${{ steps.release_body.outputs.release_body }}
files: |
${{ steps.build_bin.outputs.tarball_path }}
${{ steps.generate_sbom_filename.outputs.sbom_filename }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Build container images
id: build_container_images
run: |
# Build podman images locally
make build-image IMAGE_TAG=${{ steps.get_tag.outputs.release_version }} IMAGE_REPO=${{ secrets.IMAGE_REGISTRY }}
podman tag \
${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_tag.outputs.release_version }} \
${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Push to quay.io
id: push_to_quay
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ env.IMAGE_NAME }}
tags: |
latest
${{ steps.get_tag.outputs.release_version }}
registry: ${{ secrets.IMAGE_REGISTRY }}
username: ${{ secrets.QUAY_BOT_USERNAME }}
password: ${{ secrets.QUAY_BOT_TOKEN }}
- name: Sign published image
id: sign-image
run: |
cosign sign \
--yes \
--registry-username ${{ secrets.QUAY_BOT_USERNAME }} \
--registry-password ${{ secrets.QUAY_BOT_TOKEN }} \
${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push_to_quay.outputs.digest }}
- name: Verify the image signature
run: |
cosign verify \
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yaml@refs/tags/${{ steps.get_tag.outputs.release_version }} \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_tag.outputs.release_version }}